At present compared with V1R1 version TSM V1R2 increased isolation domain, there are three domain concept: the pre-authentication domain don't need to identity authentication can access to public network resources; Isolation domain refers to the zone allows a terminal host access when the terminal user pass the identity authentication but do not pass the security authentication; The post-authentication domain refers to the zone can access after terminal user pass the authentication.
A customer purchases our TSM V1R2 system to do the access control, its each organization department and the sub department all have exclusive service system, customer demand each organization departments can only access corresponding service system, could not access other organization department service system.
This requires the post-authentication domain make granularity control, refining controlled domain resources, thus to realize one to one correspondence between the organization department user and service system. We first complete to customer service server investigation, output the customer organization department and independent service system corresponding list, according to the service server distribution of corresponding list minimize principle, through the IP address, mask, protocol type and port establish independent service resource pool in controlled domain. Then name for each service system alone in the post-authentication domain, and give the corresponding independent service resource pool. Finally in the customer organization department or individual users dispensing the corresponding authentication
A department can only access to A service server, and unable to access B service server;
B department can only access B service server, and unable to access A service server... .
Here also need to pay attention to three points:
1. The post-authentication domain default ban said: banned all resources by default, only release controlled domain has been selected; The default release said: release all resources by default, only ban controlled domain has been selected.
2. Whether department or individual apply SACG isolation domain and post-authentication domain, only change configuration mode to user-defined Settings can operate.
3. If individual need to access many service services cross department, because it can't dispensing multiple post-authentication to an object domain at the same time, need to increase the multiple corresponding controlled resources in post-authentication domain alone and can realize.